# HG changeset patch # User Sebastien Decugis # Date 1237353382 -32400 # Node ID c8dd0bdbd9e64e06f1c9c51adac929604736e2c6 # Parent 4f4591406a24fc1407eaf924430e506755bd5503 More cleanups. diff -r 4f4591406a24 -r c8dd0bdbd9e6 New_ERP_draft_src.txt --- a/New_ERP_draft_src.txt Wed Mar 18 14:04:55 2009 +0900 +++ b/New_ERP_draft_src.txt Wed Mar 18 14:16:22 2009 +0900 @@ -1,3 +1,4 @@ + *Abstract* The EAP Re-authentication Protocol [RFC5296] provides an optimization for EAP authentication when a peer moves from an authenticator to another. This protocol assumes that a AAA protocol is available to transport the ERP messages between authenticator and ER server. [draft-gaonkar-radext-erp-attrs-03] specifies the transport of ERP using RADIUS. This document specifies the transport of ERP using Diameter [RFC3588]. @@ -47,11 +48,12 @@ There are several options to bootstrap the ER server. This document discusses some of the options, but a different mechanism not described here may be deployed as well. See the following sections for more details about bootstrapping scenarii. - - Peer Authenticator ER server - ==== ============= (bootstrapped) - [ <------------------------ ] (local or home domain) - [optional EAP-Initiate/Re-auth-start] ====================== + ER server + (bootstrapped) + Peer Authenticator (local or home domain) + ==== ============= ====================== + [ <------------------------ ] + [optional EAP-Initiate/Re-auth-start] -----------------------> EAP-Initiate/Re-auth @@ -76,6 +78,7 @@ The purpose of bootstrapping is to provide the keying material to the ER server. This keying material is rRK (directly derived from EMSK) when the ER server is in the peer's home domain. The keying material is rDSRK (derived from DSRK, itself derived from EMSK) when the ER server is in the visited domain. + *Scenario 1: explicit bootstrapping* As described in [RFC5296], an explicit bootstrapping exchange can be initiated by the peer. In this case, the realm part of the Keyname-NAI is the home domain of the peer. @@ -101,22 +104,22 @@ Authenticator ER server Home EAP server ============= ========= =============== -----------------------> - ERP/DER - (EAP-Initiate) + Diameter ERP/DER + (EAP-Initiate) ------------------------> - EAP/DER + Diameter EAP/DER (EAP-Initiate) (ERP-RK-Request) <------------------------ - EAP/DEA + Diameter EAP/DEA (EAP-Finish) (ERP-RK-Answer) (rMSK) <---------------------- - ERP/DEA - (EAP-Finish) - (rMSK) + Diameter ERP/DEA + (EAP-Finish) + (rMSK) Figure 3. ERP explicit bootstrapping message flow. @@ -138,23 +141,23 @@ Authenticator ER server Home EAP server ============= =========== =============== -------------------------> - EAP/DER + Diameter EAP/DER (EAP-Response) -------------------------> - EAP/DER + Diameter EAP/DER (EAP-Response) (ERP-RK-Request) <==================================================> - Multi-round EAP exchanges, unmodified + Multi-round Diameter EAP exchanges, unmodified <------------------------- - EAP/DEA + Diameter EAP/DEA (EAP-Success) (MSK) (ERP-RK-Answer) <------------------------- - EAP/DEA + Diameter EAP/DEA (EAP-Success) (MSK) @@ -167,6 +170,7 @@ {TODO: study this case ?} + *Scenario 5: Other possibilities* {In case implementation-specific solution is retained, list here the constraints?}